我想修改与本地用户帐户关联的用户权限。我想将组和用户添加到特定的用户权限。这是通过打开组策略并打开控制台树中的以下文件夹来完成的:计算机配置\Windows设置\安全设置\本地策略\用户权限分配。然后单击所需的用户权限并将用户或组添加到其中。有没有可能通过powershell脚本做同样的事情?
oprakyz71#
我要做的是打开SecPol.msc,通过GUI对基线计算机进行修改,然后导出一个.inf模板,以便通过PowerShell进行安装。该模板可以使用secedit.exe安装。如果需要,可以在文本编辑器中打开inf文件并滚动,直到看到[Privilege Rights]部分。
[Privilege Rights]
[Privilege Rights] SeDenyServiceLogonRight = *S-1-1-0,*S-1-5-19, KNUCKLE-DRAGGER
运行此命令并重新引导。根据需要编辑.inf和.db名称。
secedit.exe /configure /cfg C:\customsettings.inf /db C:\WINDOWS\security\Database\customsettings.db /quiet
bis0qfac2#
找到第三方命令行解决方案。ntwrongs.exehttp://forums.mydigitallife.info/threads/57557-NTWrongs%99
# Grant .\NTWRONGS.exe -ID "Administrator" -Privilege "SeDenyServiceLogonRight" # Revoke .\NTWRONGS.exe -ID "Administrator" -Privilege "SeDenyServiceLogonRight" -Revoke
isr3a4wc3#
下面是一个纯粹的powershell方法-https://stackoverflow.com/a/26393118
Add-Type @' using System; using System.Collections.Generic; using System.Text; namespace LSA { using System.Runtime.InteropServices; using System.Security; using System.Management; using System.Runtime.CompilerServices; using System.ComponentModel; using LSA_HANDLE = IntPtr; [StructLayout(LayoutKind.Sequential)] struct LSA_OBJECT_ATTRIBUTES { internal int Length; internal IntPtr RootDirectory; internal IntPtr ObjectName; internal int Attributes; internal IntPtr SecurityDescriptor; internal IntPtr SecurityQualityOfService; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] struct LSA_UNICODE_STRING { internal ushort Length; internal ushort MaximumLength; [MarshalAs(UnmanagedType.LPWStr)] internal string Buffer; } sealed class Win32Sec { [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaOpenPolicy( LSA_UNICODE_STRING[] SystemName, ref LSA_OBJECT_ATTRIBUTES ObjectAttributes, int AccessMask, out IntPtr PolicyHandle ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern uint LsaAddAccountRights( LSA_HANDLE PolicyHandle, IntPtr pSID, LSA_UNICODE_STRING[] UserRights, int CountOfRights ); [DllImport("advapi32", CharSet = CharSet.Unicode, SetLastError = true), SuppressUnmanagedCodeSecurityAttribute] internal static extern int LsaLookupNames2( LSA_HANDLE PolicyHandle, uint Flags, uint Count, LSA_UNICODE_STRING[] Names, ref IntPtr ReferencedDomains, ref IntPtr Sids ); [DllImport("advapi32")] internal static extern int LsaNtStatusToWinError(int NTSTATUS); [DllImport("advapi32")] internal static extern int LsaClose(IntPtr PolicyHandle); [DllImport("advapi32")] internal static extern int LsaFreeMemory(IntPtr Buffer); } /// <summary> /// This class is used to grant "Log on as a service", "Log on as a batchjob", "Log on localy" etc. /// to a user. /// </summary> public sealed class LsaWrapper : IDisposable { [StructLayout(LayoutKind.Sequential)] struct LSA_TRUST_INFORMATION { internal LSA_UNICODE_STRING Name; internal IntPtr Sid; } [StructLayout(LayoutKind.Sequential)] struct LSA_TRANSLATED_SID2 { internal SidNameUse Use; internal IntPtr Sid; internal int DomainIndex; uint Flags; } [StructLayout(LayoutKind.Sequential)] struct LSA_REFERENCED_DOMAIN_LIST { internal uint Entries; internal LSA_TRUST_INFORMATION Domains; } enum SidNameUse : int { User = 1, Group = 2, Domain = 3, Alias = 4, KnownGroup = 5, DeletedAccount = 6, Invalid = 7, Unknown = 8, Computer = 9 } enum Access : int { POLICY_READ = 0x20006, POLICY_ALL_ACCESS = 0x00F0FFF, POLICY_EXECUTE = 0X20801, POLICY_WRITE = 0X207F8 } const uint STATUS_ACCESS_DENIED = 0xc0000022; const uint STATUS_INSUFFICIENT_RESOURCES = 0xc000009a; const uint STATUS_NO_MEMORY = 0xc0000017; IntPtr lsaHandle; public LsaWrapper() : this(null) { } // // local system if systemName is null public LsaWrapper(string systemName) { LSA_OBJECT_ATTRIBUTES lsaAttr; lsaAttr.RootDirectory = IntPtr.Zero; lsaAttr.ObjectName = IntPtr.Zero; lsaAttr.Attributes = 0; lsaAttr.SecurityDescriptor = IntPtr.Zero; lsaAttr.SecurityQualityOfService = IntPtr.Zero; lsaAttr.Length = Marshal.SizeOf(typeof(LSA_OBJECT_ATTRIBUTES)); lsaHandle = IntPtr.Zero; LSA_UNICODE_STRING[] system = null; if (systemName != null) { system = new LSA_UNICODE_STRING[1]; system[0] = InitLsaString(systemName); } uint ret = Win32Sec.LsaOpenPolicy(system, ref lsaAttr, (int)Access.POLICY_ALL_ACCESS, out lsaHandle); if (ret == 0) return; if (ret == STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY)) { throw new OutOfMemoryException(); } throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret)); } public void AddPrivileges(string account, string privilege) { IntPtr pSid = GetSIDInformation(account); LSA_UNICODE_STRING[] privileges = new LSA_UNICODE_STRING[1]; privileges[0] = InitLsaString(privilege); uint ret = Win32Sec.LsaAddAccountRights(lsaHandle, pSid, privileges, 1); if (ret == 0) return; if (ret == STATUS_ACCESS_DENIED) { throw new UnauthorizedAccessException(); } if ((ret == STATUS_INSUFFICIENT_RESOURCES) || (ret == STATUS_NO_MEMORY)) { throw new OutOfMemoryException(); } throw new Win32Exception(Win32Sec.LsaNtStatusToWinError((int)ret)); } public void Dispose() { if (lsaHandle != IntPtr.Zero) { Win32Sec.LsaClose(lsaHandle); lsaHandle = IntPtr.Zero; } GC.SuppressFinalize(this); } ~LsaWrapper() { Dispose(); } // helper functions IntPtr GetSIDInformation(string account) { LSA_UNICODE_STRING[] names = new LSA_UNICODE_STRING[1]; LSA_TRANSLATED_SID2 lts; IntPtr tsids = IntPtr.Zero; IntPtr tdom = IntPtr.Zero; names[0] = InitLsaString(account); lts.Sid = IntPtr.Zero; Console.WriteLine("String account: {0}", names[0].Length); int ret = Win32Sec.LsaLookupNames2(lsaHandle, 0, 1, names, ref tdom, ref tsids); if (ret != 0) throw new Win32Exception(Win32Sec.LsaNtStatusToWinError(ret)); lts = (LSA_TRANSLATED_SID2)Marshal.PtrToStructure(tsids, typeof(LSA_TRANSLATED_SID2)); Win32Sec.LsaFreeMemory(tsids); Win32Sec.LsaFreeMemory(tdom); return lts.Sid; } static LSA_UNICODE_STRING InitLsaString(string s) { // Unicode strings max. 32KB if (s.Length > 0x7ffe) throw new ArgumentException("String too long"); LSA_UNICODE_STRING lus = new LSA_UNICODE_STRING(); lus.Buffer = s; lus.Length = (ushort)(s.Length * sizeof(char)); lus.MaximumLength = (ushort)(lus.Length + sizeof(char)); return lus; } } public class Editor { public static void AddPrivileges(string account, string privilege) { using (LsaWrapper lsaWrapper = new LsaWrapper()) { lsaWrapper.AddPrivileges(account, privilege); } } } } '@ [LSA.Editor]::AddPrivileges("KNUCKLE-DRAGGER", "SeBatchLogonRight") secpol.msc
jdzmm42g4#
在@Knuckle-Dragger的回答基础上:无法将用户添加到secreatesymboliclinkprivilege设置(计算机配置〉Windows设置〉安全设置〉本地策略〉用户权限分配〉创建符号链接),总是带有错误“指定的域要么不存在,要么无法联系”,它与他的方法一起工作,whoami输出中的DOMAIN\user帐户:
secreatesymboliclinkprivilege
whoami
DOMAIN\user
SecEdit.exe /export /db C:\WINDOWS\security\Database\secedit.sdb /cfg config # edited the file, added just ',DOMAIN\user' to this line: # secreatesymboliclinkprivilege = *S-1-5-83-0,*S-1-5-32-544,DOMAIN\user SecEdit.exe /configure /db secedit.sdb /cfg config
4条答案
按热度按时间oprakyz71#
我要做的是打开SecPol.msc,通过GUI对基线计算机进行修改,然后导出一个.inf模板,以便通过PowerShell进行安装。
该模板可以使用secedit.exe安装。如果需要,可以在文本编辑器中打开inf文件并滚动,直到看到
[Privilege Rights]
部分。运行此命令并重新引导。根据需要编辑.inf和.db名称。
bis0qfac2#
找到第三方命令行解决方案。ntwrongs.exe
http://forums.mydigitallife.info/threads/57557-NTWrongs%99
isr3a4wc3#
下面是一个纯粹的powershell方法-https://stackoverflow.com/a/26393118
jdzmm42g4#
在@Knuckle-Dragger的回答基础上:
无法将用户添加到
secreatesymboliclinkprivilege
设置(计算机配置〉Windows设置〉安全设置〉本地策略〉用户权限分配〉创建符号链接),总是带有错误“指定的域要么不存在,要么无法联系”,它与他的方法一起工作,whoami
输出中的DOMAIN\user
帐户: